How to prepare a SOC-as-a-service RFP

Here's how one company structured its SOCaaS request for proposal document. Key takeaway: Don't be afraid to ask for too many details.

In response to my article on evaluating SOC-as-a-service providers, a reader sent in a detailed and thorough copy of his request for proposal (RFP) and agreed to share it here. He has a lot of security background and works for a large trucking carrier that operates services throughout North America. If you think they are guys driving trucks, you would be wrong. His company has been on the forefront of using technology in their business, including deploying roll stability, disc brakes, GPS trackers and accident avoidance systems.

While the firm has a rich tech background, it doesn’t have an extensive security staff and wanted a SOCaaS vendor to help manage the alerts across their enterprise, including the sensors embedded in their rolling stock and in offices. In that regard, it is typical of a medium-sized enterprise.

The company got more than three-dozen responses to its RFP, many of them with complete and detailed answers. The respondents included Rocus Networks, AT&T, Sword and Shield, Dark Trace, Rapid7, Sumologic, IBM, Guidepoint and Arctic Wolf. Interestingly, the price quotes varied from $50,000 to $500,000 per year for the services cited. The company evaluated and scored each vendor’s response and placed them in a giant spreadsheet – the ultimate database tool – to come up with five finalists, who were asked for additional information before the trucking firm chose a winner.

What interested me about the entire exercise, at least from my outsider’s perspective, is how detailed the questions were and how willing the vendors were to answer more than 100 questions. Clearly, the vendors are looking for customers, and given the fees involved, you can see why. This means that if you are in the market for a SOC-aaS provider, err on the side of completeness and put as much effort as you can into understanding their business model and how they will provide their services.

SOCaaS RFP categories

Let’s look at the eight overall categories of the RFP and some of what they requested:

Corporate capabilities: These included the number of individual SOCs and where they were located, how long the vendor has been in business, the percent of revenues spent on R&D, the number of current managed customers with at least three current referenceable accounts, and details about any continuity of service and insurance contracts to their business.

Staffing qualifications: These questions included how many total employees and the number that work on managed services, and how staff are screened, hired and trained. The RFP also asked for details on security certifications of the SOC staff and if their SOCs are staffed 24/7.

Service methodology: The RFP wanted details on how managed services are delivered, what pieces use third-party providers, whether any tools are proprietary or open source, and how these tools will work with the company’s existing threat management and incident response product portfolios. It also wanted details on how the monitoring tools would work and whether they would require CASBs or use native agents.

SIEM and other security management specifics: Here the RFP wanted details about workflows and processes of the event lifecycle, including how the event is described to a SOC analyst, how it is evaluated, and how they are alerted to its existence and ultimate resolution. They also wanted to understand the level of interaction among their various services.

Analytic capabilities: The RFP goes into detail about how the provider will implement watch lists, what technologies are used to provide analytics, specific forensics, data visualizations and other real-time analytics, and which vendors are used for endpoint detection and response (EDR) and managed detection and response (MDR) offerings.

Dashboards and portals description: The RFP asks how many separate portals and dashboards will be used to deliver the managed service itself. Which authentication and identity management systems are used? Does this equipment make use of STIX or TAXII or other similar protocols? The RFP also asked for report samples and how this data can be exported to be used by other software.

Service level agreement (SLA) specifics: The RFP requests a sample SLA and how its performance will be reported back, and what the SLA covers in detail. It also requested details about how the SLA will be audited, what happens when the firm has a complaint, and how non-compliance with the SLA would be escalated and resolved.

Pricing and contractual specifics: Finally, we get to the cost of the proposal. This is broken down into more than a dozen specific questions, including details on the number of sensors, devices, servers and the like, and different pricing tiers based on the level of service included. There are other questions on the contract specifics, such as how long the quote remains valid and any discounts available, along with any other optional extras that can be (or need to be) purchased.

Key questions to ask on a SOCaaS RFP

A few of the questions on the RFP are particularly interesting and worth asking. I have highlighted them below:

Please provide an example of how your services detected and addressed a recent security incident.

Explain how you use external data such as threat intelligence feeds to analyze potential threats to our potential environment and describe what access to this data we will have.

Explain your ability to analyze this data to identify when you observe changes in behavior of users or systems and how this represents risk to our environment.

Explain your methodology for reducing false positives and false negatives and for classifying security-related events that represent a risk to us.

How are big data platforms used to support the collection/analysis of network and endpoint data?

Is there a smartphone/tablet application available for your dashboard or portal? If so, briefly describe the supported platforms and their functionality.

David Strom writes and speaks about security, networking and communications topics for CSO Online, Network World, Computerworld and other publications. He can be reached through his web site, or on Twitter @dstrom.